kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #11571 from olemarkus/snapshot-tighten-deletion 

Only allow deletion of snapshots owned by the cluster
This commit is contained in:
Kubernetes Prow Robot 2021-05-23 07:45:38 -07:00 committed by GitHub
parent 9235f355ac 0004bcec77
commit 5e720e940d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 15 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
pkg/model/iam/iam_builder.go
View File

@ -344,7 +344,7 @@ func (r *NodeRoleMaster) BuildAWSPolicy(b *PolicyBuilder) (*Policy, error) {
}
if b.Cluster.Spec.SnapshotController != nil && fi.BoolValue(b.Cluster.Spec.SnapshotController.Enabled) {
addSnapshotPersmissions(p)
addSnapshotPersmissions(p, b.Cluster.GetName())
}
return p, nil
}
@ -783,17 +783,29 @@ func AddAWSLoadbalancerControllerPermissions(p *Policy, resource stringorslice.S
)
}
func addSnapshotPersmissions(p *Policy) {
func addSnapshotPersmissions(p *Policy, clusterName string) {
p.Statement = append(p.Statement, &Statement{
Effect: StatementEffectAllow,
Action: stringorslice.Of(
"ec2:CreateSnapshot",
"ec2:DeleteSnapshot",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeSnapshots",
),
Resource: stringorslice.Slice([]string{"*"}),
})
p.Statement = append(p.Statement, &Statement{
Effect: StatementEffectAllow,
Action: stringorslice.Of(
"ec2:DeleteSnapshot",
),
Resource: stringorslice.Slice([]string{"*"}),
Condition: Condition{
"StringEquals": map[string]string{
"aws:ResourceTag/KubernetesCluster": clusterName,
},
},
})
}
// addLegacyDNSControllerPermissions adds legacy IAM permissions used by the node roles.